Sunday, 26 June 2011

An overview of Blackhole exploit kit v1.1.0

Due to the recent rise on MDL and also due to alot of mails request for demystifying BH (you know who you are)
Here is a post on the latest version of this exploit kit (v1.1.0)
Panel is not from us (MalwareInt) it's just a takeover on a random panel :þ

NB: My friend ScriptKiddieSec have found a russian 'ReadMe' of BH, you can read it here if you have access.

The panel is in PHP/AJAX, stuff can be moved it's nicely modulable.
'Main' page (Global stats):

Threads:

Files list:

Scan4you detections (using the bad guys account):

Blacklist, for block good guys :þ

Preferences of BH, (Default language, Scan4You account, stats etc..):

Thread preference/making:

A thread:

Individual thread statistic:

The infect page (who seem just a fake 404 page)

but if you see the source you will find a malicious obfuscated javascript, (iframes who lead to various CVE generaly)

And sometime with really weird things

picture by Hendrik Adrian (@unixfreaxjp):

These 'Google error' page not the first time i meet them...

I've already explained some interesting things of Black Hole on the past: Trojan.Ransom (HomoBlocker)
Your Antivirus (e.g: Avast?), can probably alert you about this page due to the obfuscated code stepas.js but nothing will arm you ;)